HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

VA Data Breaches Fell Dramatically in August

The VA Information Security Report usually makes for unpleasant reading, oftentimes detailing numerous mis-mailings, mis-handling accidents, lost PIV cards, and lost and stolen devices; however the data breach figures for August are surprisingly low, with considerably fewer records exposed than in previous months.

The number of veterans’ records exposed in July were half that of June, and the reduction has continued in August, with the VA data security report indicating just 431 veteran records were exposed. 127 breach notification letters were sent, and 304 individuals were offered credit protection services to mitigate the risk of harm. August has therefore been the best month for the VA since March 2015.

Victims of VA Data Breaches in 2015


Month Veteran Records Exposed
January 310
February 891
March 383
April 987
May 1018
June 2076
July 1031
August 431


Average number of records exposed per month: 890
Total number of veterans affected in 2015: 7,127


VA Data Breaches Continue to Fall


The total number of lost PIV cards reported for the month of August was 117: The lowest number reported since November 2014.

Pharmacy mis-mailings are relatively rare, with just a handful of mis-mailed items reported each month. It would appear that extra care has been taken in August, as remarkably, only one error was made out of 6,811,826 mailings. This is a significant reduction over the past three months, where pharmacy mis-mailings had risen into the twenties.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Mishandling incidents are also significantly down. For the past six months, mishandled incidents per month have gone into three figures. In August, the number fell to just 84. The VA has not reported such low figures since November 2014.

The number of lost devices also decreased, falling from 56 in July to 47 in August. The average number of lost devices per month for the last 9 months is 54. However, mis-mailing incidents have remained similar to past months, with 148 incidents reported in August.

Many of the security incidents detailed in the report follow a similar pattern to previous months, and typically involve patient A being sent information relating to patient B.

However, serious data security failures have been discovered in the VA Capitol Health Care Network (VISN 5). VISN 5 serves veterans from areas within Maryland, the District of Columbia, and sections of Virginia, West Virginia, and Pennsylvania.

The VA lists the results of an Information Resources Management (IRM) Service Delivery and Engineering (SDE) wall to wall inventory conducted by VISN5, which revealed that 49 items of electrical equipment were missing as of August 10, 2015. These items included 2 laptops, 7 network servers, 3 computer workstations, 2 tablets, 12 network switches and 23 other items of computer equipment such as printers, scanners and computer monitors.

However, 8 days later, after a thorough investigation, the number of missing items was reduced to 29; a much improved figure, but still unacceptably high. It may not always be possible to prevent equipment theft, but it is essential to maintain an accurate inventory and to keep track of all electronic equipment used to store PHI.

Following on from the loss or misplacing of equipment, facility staff have been instructed by the VA to maintain more accurate records of all electronic equipment, and to implement policies and procedures to ensure that all equipment issued to staff is properly protected. Steps must also be taken by VISN 5 to prevent further loss and theft of equipment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.